Bug 508582

Summary: *** buffer overflow detected ***: /usr/lib64/firefox-3.5b4/firefox terminated
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: xulrunnerAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: rawhideCC: b1r63r, caillon, gecko-bugs-nobody, h1k6zn2m, johnp, mcepl, stransky, walters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-30 23:35:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 473303    

Description Nicolas Mailhot 2009-06-28 20:15:49 UTC 
# rpm -q xulrunner firefox
xulrunner-1.9.1-0.23.beta4.fc12.x86_64
firefox-3.5-0.21.beta4.fc12.x86_64
# rpm -V xulrunner firefox
# 


$ gdb /usr/lib64/firefox-3.5b4/firefox
GNU gdb (GDB) Fedora (6.8.50.20090302-35.fc12)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Missing separate debuginfo for /usr/lib64/firefox-3.5b4/firefox
Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/f0/15276a8ecf80f380c92c9475547eea1729f199.debug
(gdb) handle SIG33 noprint nostop
Signal        Stop	Print	Pass to program	Description
SIG33         No	No	Yes		Real-time event 33
(gdb) run
Starting program: /usr/lib64/firefox-3.5b4/firefox 
[Thread debugging using libthread_db enabled]
[New Thread 0x7fffeedff910 (LWP 23586)]
[New Thread 0x7fffee3fe910 (LWP 23587)]
[New Thread 0x7fffed9fd910 (LWP 23588)]
[New Thread 0x7fffeb2ff910 (LWP 23589)]
[Thread 0x7fffee3fe910 (LWP 23587) exited]
[Thread 0x7fffeb2ff910 (LWP 23589) exited]
[Thread 0x7fffed9fd910 (LWP 23588) exited]
[Thread 0x7fffeedff910 (LWP 23586) exited]
Executing new program: /usr/lib64/firefox-3.5b4/firefox
Missing separate debuginfo for /usr/lib64/firefox-3.5b4/firefox
Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/f0/15276a8ecf80f380c92c9475547eea1729f199.debug
[Thread debugging using libthread_db enabled]
[New Thread 0x7fffeedff910 (LWP 23590)]
[New Thread 0x7fffee3fe910 (LWP 23591)]
[New Thread 0x7fffed9fd910 (LWP 23592)]
[New Thread 0x7fffeb1ff910 (LWP 23595)]
[New Thread 0x7fffe91ff910 (LWP 23596)]
[Thread 0x7fffe91ff910 (LWP 23596) exited]
[New Thread 0x7fffe85ff910 (LWP 23597)]
[Thread 0x7fffe85ff910 (LWP 23597) exited]
[New Thread 0x7fffe85ff910 (LWP 23598)]
[New Thread 0x7fffe91ff910 (LWP 23599)]
[New Thread 0x7fffde5e4910 (LWP 23600)]
[New Thread 0x7fffddbe3910 (LWP 23601)]
[New Thread 0x7fffdcfff910 (LWP 23602)]
*** buffer overflow detected ***: /usr/lib64/firefox-3.5b4/firefox terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3d8c4f7537]
/lib64/libc.so.6[0x3d8c4f5590]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6ebbaf2]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6ebc1f3]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6ebc353]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6ec09c5]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6eabdd2]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6ea2617]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6d8eecf]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6d8ffc0]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6ea6e9a]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6ae46a2]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6add6df]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6849223]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67ac606]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a5726]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a5c7e]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a6ea1]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67ae1c8]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a519f]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a58e3]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a5c7e]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a6ea1]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67aedc1]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a510d]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a58e3]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a5c7e]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a6ea1]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67ac90c]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a4f75]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a58e3]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a5c7e]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a6ea1]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67ad21e]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a4e83]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a58e3]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a5c7e]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a6ea1]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a9337]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a4da7]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a58e3]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a5c7e]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a6ea1]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a9337]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a4da7]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a58e3]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67a5c7e]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67b1b4e]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff67da275]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff69442cc]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff68fc81c]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff69dbebe]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff69dc8c0]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6759ae1]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6759bc6]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff675cbb6]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6763302]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6766a33]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff676732a]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff6c71f94]
/usr/lib64/xulrunner-1.9.1/libxul.so(NS_InvokeByIndex_P+0x279)[0x7ffff6f0cd55]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff664aaff]
/usr/lib64/xulrunner-1.9.1/libxul.so[0x7ffff66531d6]
======= Memory map: ========
00400000-00415000 r-xp 00000000 fd:00 3804969                            /usr/lib64/firefox-3.5b4/firefox
00614000-00615000 rw-p 00014000 fd:00 3804969                            /usr/lib64/firefox-3.5b4/firefox
00615000-00616000 rw-p 00000000 00:00 0                                  [heap]
39f2800000-39f2806000 r-xp 00000000 fd:00 3344034                        /usr/lib64/libgdbm.so.2.0.0
39f2806000-39f2a05000 ---p 00006000 fd:00 3344034                        /usr/lib64/libgdbm.so.2.0.0
39f2a05000-39f2a06000 rw-p 00005000 fd:00 3344034                        /usr/lib64/libgdbm.so.2.0.0
39f2c00000-39f2c59000 r-xp 00000000 fd:00 3344107                        /usr/lib64/libpulsecommon-0.9.15.so
39f2c59000-39f2e58000 ---p 00059000 fd:00 3344107                        /usr/lib64/libpulsecommon-0.9.15.so
39f2e58000-39f2e5a000 rw-p 00058000 fd:00 3344107                        /usr/lib64/libpulsecommon-0.9.15.so
39f3000000-39f300f000 r-xp 00000000 fd:00 3344424                        /usr/lib64/libcanberra.so.0.1.6
39f300f000-39f320f000 ---p 0000f000 fd:00 3344424                        /usr/lib64/libcanberra.so.0.1.6
39f320f000-39f3210000 rw-p 0000f000 fd:00 3344424                        /usr/lib64/libcanberra.so.0.1.6
39f3c00000-39f3c03000 r-xp 00000000 fd:00 3344428                        /usr/lib64/libcanberra-gtk.so.0.1.0
39f3c03000-39f3e03000 ---p 00003000 fd:00 3344428                        /usr/lib64/libcanberra-gtk.so.0.1.0
39f3e03000-39f3e04000 rw-p 00003000 fd:00 3344428                        /usr/lib64/libcanberra-gtk.so.0.1.0
39f4000000-39f4047000 r-xp 00000000 fd:00 3344858                        /usr/lib64/libpulse.so.0.8.0
39f4047000-39f4247000 ---p 00047000 fd:00 3344858                        /usr/lib64/libpulse.so.0.8.0
39f4247000-39f4249000 rw-p 00047000 fd:00 3344858                        /usr/lib64/libpulse.so.0.8.0
3d8c000000-3d8c01f000 r-xp 00000000 fd:00 393243                         /lib64/ld-2.10.1.so
3d8c21e000-3d8c21f000 r--p 0001e000 fd:00 393243                         /lib64/ld-2.10.1.so
3d8c21f000-3d8c220000 rw-p 0001f000 fd:00 393243                         /lib64/ld-2.10.1.so
3d8c400000-3d8c564000 r-xp 00000000 fd:00 395439                         /lib64/libc-2.10.1.so
3d8c564000-3d8c764000 ---p 00164000 fd:00 395439                         /lib64/libc-2.10.1.so
3d8c764000-3d8c768000 r--p 00164000 fd:00 395439                         /lib64/libc-2.10.1.so
3d8c768000-3d8c769000 rw-p 00168000 fd:00 395439                         /lib64/libc-2.10.1.so
3d8c769000-3d8c76e000 rw-p 00000000 00:00 0 
3d8c800000-3d8c882000 r-xp 00000000 fd:00 397054                         /lib64/libm-2.10.1.so
3d8c882000-3d8ca82000 ---p 00082000 fd:00 39705
Program received signal SIGABRT, Aborted.
0x0000003d8c4332f5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
Current language:  auto; currently minimal
(gdb) bt
#0  0x0000003d8c4332f5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003d8c434b20 in *__GI_abort () at abort.c:88
#2  0x0000003d8c47005d in __libc_message (do_abort=2, 
    fmt=0x7fffffff5c00 "10.1.so\n3d8c21f000-3d8c220000 rw-p 0001f000 fd:00 393243", ' ' <repeats 25 times>, "/lib64/ld-2.10.1.so\n3d8c400000-3d8c564000 r-xp 00000000 fd:00 395439", ' ' <repeats 25 times>, "/lib64/libc-2.10.1.so\n3d8c"...) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x0000003d8c4f7537 in *__GI___fortify_fail (msg=0x3d8c53436f "buffer overflow detected") at fortify_fail.c:32
#4  0x0000003d8c4f5590 in *__GI___chk_fail () at chk_fail.c:29
#5  0x00007ffff6ebbaf2 in strcpy (__src=<value optimized out>, __dest=<value optimized out>) at /usr/include/bits/string3.h:106
#6  HashMgr::add_word (__src=<value optimized out>, __dest=<value optimized out>) at hashmgr.cpp:191
#7  0x00007ffff6ebc1f3 in HashMgr::load_tables (this=0x7fffdd070c00, tpath=<value optimized out>, key=<value optimized out>) at hashmgr.cpp:527
#8  0x00007ffff6ebc353 in HashMgr::HashMgr (this=0x7fffdd070c00, tpath=0x7fffffff6560 "/usr/lib64/xulrunner-1.9.1/dictionaries/en_GB.dic", 
    apath=<value optimized out>, key=0x0) at hashmgr.cpp:105
#9  0x00007ffff6ec09c5 in Hunspell::Hunspell (this=0x7fffe42e84c0, affpath=0x7fffdc454c88 "/usr/lib64/xulrunner-1.9.1/dictionaries/en_GB.aff", 
    dpath=0x7fffffff6560 "/usr/lib64/xulrunner-1.9.1/dictionaries/en_GB.dic", key=0x0) at hunspell.cpp:87
#10 0x00007ffff6eabdd2 in mozHunspell::SetDictionary (this=0x7fffe2ef0f60, aDictionary=<value optimized out>) at mozHunspell.cpp:157
#11 0x00007ffff6ea2617 in mozSpellChecker::SetCurrentDictionary (this=0x7fffe9857fb0, aDictionary=@0x7fffffff6670) at mozSpellChecker.cpp:373
#12 0x00007ffff6d8eecf in nsEditorSpellCheck::SetCurrentDictionary (this=<value optimized out>, aDictionary=<value optimized out>) at nsEditorSpellCheck.cpp:455
#13 0x00007ffff6d8ffc0 in nsEditorSpellCheck::InitSpellChecker (this=0x7fffdc454380, aEditor=0x7ffff6742b3c, aEnableSelectionChecking=0)
    at nsEditorSpellCheck.cpp:212
#14 0x00007ffff6ea6e9a in mozInlineSpellChecker::SetEnableRealTimeSpell (this=0x7fffe2ed0dc0, aEnabled=<value optimized out>) at mozInlineSpellChecker.cpp:726
#15 0x00007ffff6ae46a2 in nsEditor::SyncRealTimeSpell (this=0x7fffeb5bd240) at nsEditor.cpp:1341
#16 0x00007ffff6add6df in nsEditor::PostCreate (this=0x5c1f) at nsEditor.cpp:246
#17 0x00007ffff6849223 in nsTextControlFrame::SetInitialChildList (this=0x7fffdc457ec0, aListName=<value optimized out>, aChildList=<value optimized out>)
    at nsTextControlFrame.cpp:2816
#18 0x00007ffff67ac606 in nsCSSFrameConstructor::ConstructHTMLFrame (this=0x7fffe3cc7200, aState=@0x7fffffff8f60, aContent=<value optimized out>, 
    aParentFrame=<value optimized out>, aTag=0x7fffeb7ed0c8, aNameSpaceID=<value optimized out>, aStyleContext=0x7fffdc457d28, aFrameItems=@0x7fffffff6fb0, 
    aHasPseudoParent=0) at nsCSSFrameConstructor.cpp:5611
#19 0x00007ffff67a5726 in nsCSSFrameConstructor::ConstructFrameInternal (this=0x7fffe3cc7200, aState=@0x7fffffff8f60, aContent=0x7fffdd0ef520, 
    aParentFrame=<value optimized out>, aTag=<value optimized out>, aNameSpaceID=0, aStyleContext=0x7fffdc457d28, aFrameItems=@0x7fffffff6fb0, aXBLBaseTag=0)
    at nsCSSFrameConstructor.cpp:7544
#20 0x00007ffff67a5c7e in nsCSSFrameConstructor::ConstructFrame (this=<value optimized out>, aState=@0x7fffffff8f60, aContent=0x7fffdd0ef520, aParentFrame=
    0x7fffdc4578e8, aFrameItems=@0x7fffffff6fb0) at nsCSSFrameConstructor.cpp:7416
#21 0x00007ffff67a6ea1 in nsCSSFrameConstructor::ProcessChildren (this=0x7fffe3cc7200, aState=@0x7fffffff8f60, aContent=0x7fffdd0e6980, aFrame=0x7fffdc4578e8, 
    aCanHaveGeneratedContent=<value optimized out>, aFrameItems=@0x7fffffff6fb0, aParentIsBlock=-586298576) at nsCSSFrameConstructor.cpp:11391
#22 0x00007fffffff6fb0 in ?? ()
#23 0x00007fffdd0dcb30 in ?? ()
#24 0x00007fffdd0dcb30 in ?? ()
#25 0x00007fffdc4576c0 in ?? ()
#26 0x00007fffffff8ff8 in ?? ()
#27 0x00000001dd0dcb30 in ?? ()
#28 0x00007fffffff6ee0 in ?? ()
#29 0x00007fffffff6ec0 in ?? ()
#30 0x0000000000000000 in ?? ()
Comment 1 Jonathan Kamens 2009-06-30 15:32:42 UTC 
Disabling spell-checking makes the crash go away.
Comment 2 Matěj Cepl 2009-06-30 23:34:33 UTC 
*** Bug 508773 has been marked as a duplicate of this bug. ***
Comment 3 Matěj Cepl 2009-06-30 23:35:26 UTC 

*** This bug has been marked as a duplicate of bug 506952 ***